Validate your Security Posture against BlueKeep


November 6th, 2019

SafeBreach focuses on building attacks based off various frameworks, MITRE ATT&CK framework being the most famous but not the only source of tactics, techniques and procedures (TTPs) that the SafeBreach Labs teams use to ensure organizations are safe from old and new attacks. There are instances of high priority vulnerabilities that clients are concerned with but are not live attacks in the wild. For those instances, the SafeBreach platform has a Red Team interface called Breach Studio to allow teams to custom enhance the SafeBreach Hacker Playbook.

Case in point of a high priority vulnerability is BlueKeep - CVE-2019-0708. Microsoft, NSA, and the CISA have put out numerous warnings to patch for the BlueKeep vulnerability but most organizations have not had the cycles to make the patch a priority. This is a clear indication that Security teams are far too deep into reactive states and prioritizing a potential impact cannot work up to the Hot Priority list. This is where SafeBreach, a Breach and Attack Simulation platform, can help your Security teams validate your security posture against a specific vulnerability.

SafeBreach Lab has assisted our customers by supplying a sample Python script that can be loaded into the Breach Studio to quickly and effectively validate an organization’s posture against BlueKeep.

As BlueKeep has not inflicted pain in the market yet there are instances of BlueKeep as attackers are searching for vulnerable unpatched Windows systems that have Remote Desktop Services (RDP) 3389 ports exposed. There is speculation this is preparation for a large attack or a cryptocurrency miner. Either way, the time for all organizations to know their security posture against BlueKeep is now.

Here is how quickly and easily SafeBreach customers know their posture to prioritize patching vulnerabilities:

1. Access and download the Sample Python Scripts from the SafeBreach Support Portal. The BlueKeep Scanner consists of 3 files:

2. From the SafeBreach Breach Studio select Create from Python:

Breach_Studio.png

3. Build out the Custom Breach Method:

  • Name = BlueKeep
  • Description = Validate against BlueKeep
  • Attack Phase = Lateral Movement as this is a network-based attack on RDP port 3389;
  • Attacker OS = Needs to be any and all available OS’
  • Upload = Attacker.py
  • Target OS = Must be Windows as this is a Windows-based vulnerability
  • Upload = Targey.py

Load_Sample_BlueKeep.png

4. Save and Run the test against all Windows Simulators


Pick_Sims.png

5. Simulation of BlueKeep will report on the Target IPs that the Attacker tested connectivity of RDP on port 3389.


Successful_Run.png

BlueKeep vulnerability is found in one of the options of creating an RDP session (MS_T120),

the code initiates an RDP session, from the attacker to the target simulator in a specific configuration that the vulnerability of BlueKeep uses. In computers that are patched and not vulnerable to Bluekeep, this type of configuration is blocked or ignored.

There are few options for the script:

  • RDP port is closed on the target or not accessible from the attacker’s simulator.
  • The computer is patched or the type of the OS is not vulnerable to it (such as Windows 10)
  • The computer is vulnerable to BlueKeep.

For Microsoft recommendation about protecting from BlueKeep vulnerability, check out

Microsoft blog Prevent a worm by updating Remote Desktop Services (CVE-2019-0708). And for more technical details about how the vulnerability works check out Palo Alto Networks blog Exploitation of Windows CVE-2019-0708 (BlueKeep) Three Ways to Write Data into the Kernel with RDP PDU.


6. Publish the simulation to the Playbook to run so this attack method is always tested in your environment as environmental and configuration changes can expose this vulnerability at a later time.

BlueKeep_Playbook.png


If in fact simulating the attack exposes a vulnerable system it is urgent to apply the Microsoft security pack CVE-2019-0708 in order to be secure from future vulnerabilities and block RDP in your firewall.

Security researchers have demonstrated BlueKeep’s potential, now it is time to find out your security posture before exploits on the vulnerability is put to its full potential.

Request a Demo of SafeBreach to learn how SafeBreach can help your Security Team quickly and easily gain a proactive stance to answer, ‘How secure are we against BlueKeep?’.